Release v5.4.0 into Main

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/code.release.branch.yml

@@ -58,6 +58,12 @@ jobs:
           echo ${RELEASE_TAG:1} > VERSION
           # Update package-lock.json to reflect new version
           npm install
+          # Regenerate CDK baselines from MockApp
+          echo "📝 Regenerating CDK baselines..."
+          rm -rf test/cdk/stacks/__baselines__
+          mkdir -p test/cdk/stacks/__baselines__
+          npm test -- test/cdk/stacks/snapshot.test.ts --testNamePattern="is compatible with baseline"
+          echo "✅ CDK baselines regenerated"
           # Add the generated PR description to the top of CHANGELOG.md
           echo "📝 Adding release notes to CHANGELOG.md..."
           # Create a temporary file with the new content

.github/workflows/test-and-lint.yml

@@ -75,6 +75,9 @@ jobs:
         fi
         pip install -e ./lisa-sdk
     - name: Run tests
+      env:
+        ACCOUNT_NUMBER: '012345678901'
+        REGION: us-east-1
       run: |
         make test-coverage
   pre-commit:

.gitignore

@@ -1,3 +1,4 @@
+.direnv
 *.js
 !tailwind.config.js
 !postcss.config.js

.pre-commit-config.yaml

@@ -16,14 +16,14 @@ repos:
   hooks:
     - id: bandit
       args: [--recursive, -c=pyproject.toml]
-      additional_dependencies: ['bandit[toml]', 'pbr']
+      additional_dependencies: ['bandit[toml]', 'pbr', 'PyYAML']
 
 - repo: https://github.com/Yelp/detect-secrets
   rev: v1.5.0
   hooks:
     - id: detect-secrets
       exclude: (?x)^(
-        .*.ipynb|config.yaml|.*.md|.*test.*.py
+        .*.ipynb|config.yaml|.*.md|.*test.*.py|test/cdk/stacks/__baselines__/.*\.json
         )$
 
 - repo: https://github.com/pre-commit/pre-commit-hooks

CHANGELOG.md

@@ -1,3 +1,39 @@
+# v5.4.0
+
+## Key Features
+
+### Bedrock Guardrails Integration
+LISA Administrators can now Bedrock Guardrails to any models via the Model Management page or API
+- **Comprehensive Protection**: Integrated with Bedrock Guardrails through LiteLLM's proxy support of the ApplyGuardrail API, enabling guardrails during prompt input, response generation, and prompt output.
+- **Advanced Capabilities**: Supports topic denial, word filtering, sensitive information limitation, contextual grounding checks, and automated reasoning for factual accuracy.
+- **Flexible Administration**: Administrators can apply Guardrails to any LISA model (self hosted or 3rd party) via the Model Management UI or API, with customizable permissions for different user groups.
+- **Adaptive Policies**: Guardrails and group permissions can be updated anytime to evolve content moderation alongside organizational needs.
+
+### Offline/Air-gapped Deployment Support
+Enhanced the platform to support offline and air-gapped deployments by enabling pre-caching of external dependencies for the REST API and MCP Workbench.
+- **Nodeenv Pre-caching**: Added support for pre-caching the required nodeenv in the REST API container to enable offline deployments.
+- **Offline Deployment**: Enabled configuration of pre-cached external dependencies for the MCP Workbench via  to support offline and air-gapped deployments.
+
+### MCP Workbench Refactoring
+Migrated the MCP Workbench deployment to use the shared LisaServe ECS cluster, improving modularity and enabling conditional deployment.
+- **MCP Workbench Stack**: Created a dedicated stack that deploys the MCP Workbench as a separate ECS service on the shared cluster.
+- **Conditional Deployment**: Introduced a  configuration flag to control the optional deployment of the MCP Workbench.
+- **Container Overrides**: Added support for overriding the MCP Workbench container image during deployment..
+
+### MCP Workbench UX Improvements
+Enhanced the user experience of the MCP Workbench with tool validation, error display, and theme support.
+- **Validation**: Implemented tool validation to improve the user experience.
+- **Theming**: Introduced theme support for the MCP Workbench UI.
+
+## Acknowledgements
+* @batzela
+* @bedanley
+* @dustins
+* @estohlmann
+* @jmharold
+
+**Full Changelog**: https://github.com/awslabs/LISA/compare/v5.3.2..v5.4.0
+
 # v5.3.2
 
 ## Key Features
@@ -20,7 +56,7 @@ This release includes updates to our [documentation site](https://awslabs.github
 
 ## Acknowledgements
 * @bedanley
-* @dustinps
+* @dustins
 * @estohlmann
 * @jmharold
 

Makefile

@@ -13,33 +13,30 @@ PROJECT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 HEADLESS = false
 DOCKER_CMD ?= $(or $(CDK_DOCKER),docker)
 
+# Function to read config with fallback to base config and default value
+# Usage: VAR := $(call get_config,property,default_value)
+define get_config
+$(shell test -f $(PROJECT_DIR)/config-custom.yaml && yq -r $(1) $(PROJECT_DIR)/config-custom.yaml 2>/dev/null | grep -v '^null$$' || \
+        (test -f $(PROJECT_DIR)/config-base.yaml && yq -r $(1) $(PROJECT_DIR)/config-base.yaml 2>/dev/null | grep -v '^null$$') || \
+        echo "$(2)")
+endef
 
 # PROFILE (optional argument)
 ifeq (${PROFILE},)
-TEMP_PROFILE := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .profile)
-ifneq ($(TEMP_PROFILE), null)
-PROFILE := ${TEMP_PROFILE}
-else
-$(warning profile is not set in the command line using PROFILE variable or config files, attempting deployment without this variable)
+PROFILE := $(call get_config,.profile,)
+ifeq ($(PROFILE),)
+$(warning profile is not set in command line using PROFILE variable or config files, attempting deployment without this variable)
 endif
 endif
 
 # DEPLOYMENT_NAME
 ifeq (${DEPLOYMENT_NAME},)
-DEPLOYMENT_NAME := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .deploymentName)
-endif
-
-ifeq (${DEPLOYMENT_NAME}, null)
-DEPLOYMENT_NAME := $(shell cat $(PROJECT_DIR)/config-base.yaml | yq .deploymentName)
-endif
-
-ifeq (${DEPLOYMENT_NAME}, null)
-DEPLOYMENT_NAME := prod
+DEPLOYMENT_NAME := $(call get_config,.deploymentName,prod)
 endif
 
 # ACCOUNT_NUMBER
 ifeq (${ACCOUNT_NUMBER},)
-ACCOUNT_NUMBER := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .accountNumber)
+ACCOUNT_NUMBER := $(call get_config,.accountNumber,)
 endif
 
 ifeq (${ACCOUNT_NUMBER},)
@@ -48,18 +45,16 @@ endif
 
 # REGION
 ifeq (${REGION},)
-REGION := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .region)
+REGION := $(call get_config,.region,)
 endif
 
 ifeq (${REGION},)
 $(error region must be set in command line using REGION variable or config files)
 endif
 
+# PARTITION
 ifeq (${PARTITION},)
-PARTITION := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .partition )
-endif
-ifeq (${PARTITION}, null)
-PARTITION := aws
+PARTITION := $(call get_config,.partition,aws)
 endif
 
 # DOMAIN - used for the docker login
@@ -76,29 +71,13 @@ endif
 # Arguments defined through config files
 
 # APP_NAME
-APP_NAME := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .appName)
-ifeq (${APP_NAME}, null)
-APP_NAME := $(shell cat $(PROJECT_DIR)/config-base.yaml | yq .appName)
-endif
-
-ifeq (${APP_NAME}, null)
-APP_NAME := lisa
-endif
+APP_NAME := $(call get_config,.appName,lisa)
 
 # DEPLOYMENT_STAGE
-DEPLOYMENT_STAGE := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .deploymentStage)
-ifeq (${DEPLOYMENT_STAGE}, null)
-DEPLOYMENT_STAGE := $(shell cat $(PROJECT_DIR)/config-base.yaml | yq .deploymentStage)
-endif
-
-ifeq (${DEPLOYMENT_STAGE}, null)
-DEPLOYMENT_STAGE := prod
-endif
+DEPLOYMENT_STAGE := $(call get_config,.deploymentStage,prod)
 
 # ACCOUNT_NUMBERS_ECR - AWS account numbers that need to be logged into with Docker CLI to use ECR
-ifneq ($(shell cat $(PROJECT_DIR)/config-custom.yaml | yq '.accountNumbersEcr'), null)
-ACCOUNT_NUMBERS_ECR := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq .accountNumbersEcr[])
-endif
+ACCOUNT_NUMBERS_ECR := $(shell test -f $(PROJECT_DIR)/config-custom.yaml && yq '.accountNumbersEcr[]' $(PROJECT_DIR)/config-custom.yaml 2>/dev/null || echo "")
 
 # Append deployed account number to array for dockerLogin rule
 ACCOUNT_NUMBERS_ECR := $(ACCOUNT_NUMBERS_ECR) $(ACCOUNT_NUMBER)
@@ -113,13 +92,18 @@ ifneq ($(findstring $(DEPLOYMENT_STAGE),$(STACK)),$(DEPLOYMENT_STAGE))
 endif
 
 # MODEL_IDS - IDs of models to deploy
-ifneq ($(shell cat $(PROJECT_DIR)/config-custom.yaml | yq '.ecsModels'), null)
-MODEL_IDS := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq '.ecsModels[].modelName')
-endif
+MODEL_IDS := $(shell test -f $(PROJECT_DIR)/config-custom.yaml && yq '.ecsModels[].modelName' $(PROJECT_DIR)/config-custom.yaml 2>/dev/null || echo "")
 
 # MODEL_BUCKET - S3 bucket containing model artifacts
-MODEL_BUCKET := $(shell cat $(PROJECT_DIR)/config-custom.yaml | yq '.s3BucketModels')
+MODEL_BUCKET := $(call get_config,.s3BucketModels,)
 
+# BASE_URL - Base URL for web UI assets based on domain name and deployment stage
+DOMAIN_NAME := $(call get_config,.apiGatewayConfig.domainName,)
+ifeq ($(DOMAIN_NAME),)
+BASE_URL := /$(DEPLOYMENT_STAGE)/
+else
+BASE_URL := /
+endif
 
 #################################################################################
 # COMMANDS                                                                      #
@@ -269,7 +253,7 @@ listStacks:
 	@npx cdk list
 
 buildNpmModules:
-	npm run build
+	BASE_URL=$(BASE_URL) npm run build
 
 buildArchive:
 	BUILD_ASSETS=true npm run build

VERSION

@@ -1 +1 @@
-5.3.2
+5.4.0

bin/build-images

@@ -89,6 +89,13 @@ ecr_login() {
     fi
 }
 
+# Function to check if a config parameter is enabled (defaults to true if not present)
+should_build_image() {
+    local param="$1"
+    local value=$(yq ".${param}" "$ROOT/custom-config.yaml" 2>/dev/null)
+    [[ "$value" != "false" ]]
+}
+
 # Main function to build all images
 build_all_images() {
     echo "Starting Docker image builds..."
@@ -117,6 +124,17 @@ build_all_images() {
     rsync -av --exclude='__pycache__' ./lambda/ "$BUILD_DIR/"
     build_image "Dockerfile" "lisa-batch-ingestion" "$LISA_VERSION" "$RAG_DIR" "NODE_ENV=production"
 
+    # lisa-mcp-workbench (conditional)
+    if should_build_image "deployMcpWorkbench"; then
+        MCP_DIR="./lib/serve/mcp-workbench"
+        build_image "Dockerfile" "lisa-mcp-workbench" "$LISA_VERSION" "$MCP_DIR" \
+            "NODE_ENV=production" \
+            "BASE_IMAGE=python:3.13.7-slim"
+    else
+        echo "deployMcpWorkbench is disabled, skipping lisa-mcp-workbench build"
+        echo ""
+    fi
+
     # lisa-tei
     build_image "Dockerfile" "lisa-tei" "latest" "./lib/serve/ecs-model/embedding/tei" \
         "NODE_ENV=production" \

ecs_model_deployer/src/lib/ecsCluster.ts

@@ -237,7 +237,8 @@ export class ECSCluster extends Construct {
                 environment,
                 logging: LogDriver.awsLogs({ streamPrefix: identifier }),
                 gpuCount: Ec2Metadata.get(ecsConfig.instanceType).gpuCount,
-                memoryReservationMiB: Ec2Metadata.get(ecsConfig.instanceType).memory - ecsConfig.containerMemoryBuffer,
+                memoryReservationMiB: taskDefinition.containerConfig.memoryReservation ??
+                    (Ec2Metadata.get(ecsConfig.instanceType).memory - ecsConfig.containerMemoryBuffer),
                 portMappings: [{ hostPort: 80, containerPort: 8080, protocol: Protocol.TCP }],
                 healthCheck: containerHealthCheck,
                 // Model containers need to run with privileged set to true

ecs_model_deployer/src/lib/lisa_model_stack.ts

@@ -57,7 +57,8 @@ export class LisaModelStack extends Stack {
         super(scope, id, props);
 
         const vpc = Vpc.fromLookup(this, `${id}-vpc`, {
-            vpcId: props.vpcId
+            vpcId: props.vpcId,
+            returnVpnGateways: false,
         });
 
         let subnetSelection: SubnetSelection | undefined;

eslint.config.js → eslint.config.mjs

@@ -142,30 +142,32 @@ export default [
   },
   {
     ignores: [
-      'dist/**',
-      'node_modules/**',
+      '**/*.bundle.js',
+      '**/*.d.ts',
+      '**/*.min.js',
+      '**/.venv/**',
+      '**/build/**',
+      '**/coverage/**',
+      '**/dist/**',
+      '**/venv/**',
+      '*.bundle.js',
+      '*.min.js',
+      '.venv/**',
       'build/**',
       'coverage/**',
+      'cypress/dist/**',
+      'dist/**',
+      'ecs_model_deployer/dist/**',
       'htmlcov/**',
+      'lib/docs/.vitepress/cache/**',
+      'lib/docs/dist/**',
       'lib/user-interface/react/dist/**',
       'lib/user-interface/react/public/**',
-      'lib/docs/dist/**',
-      'lib/docs/.vitepress/cache/**',
-      'ecs_model_deployer/dist/**',
+      'node_modules/**',
+      'pnpm-lock.yaml',
+      'pnpm-workspace.yaml',
       'vector_store_deployer/dist/**',
-      'cypress/dist/**',
-      '.venv/**',
       'venv/**',
-      '*.min.js',
-      '*.bundle.js',
-      '**/*.min.js',
-      '**/*.bundle.js',
-      '**/dist/**',
-      '**/build/**',
-      '**/coverage/**',
-      '**/.venv/**',
-      '**/venv/**',
-      '**/*.d.ts'
     ]
   }
 ];